1H 2017 Quick Links, Part 2 (Privacy, Security)

The plaintiffs allege that they agreed to the MyPlayer terms and conditions, that NBA 2K15 scanned their faces to create personalized basketball avatars, and that the plaintiffs used their personalized basketball avatars for in-game play. The plaintiffs thus allege that the MyPlayer feature functioned exactly as anticipated. There is no allegation that Take-Two has disseminated or sold the plaintiffs’ biometric data to thirdparties, or that Take-Two has used the plaintiffs’ biometric information in any way not contemplated by the only possible use of the MyPlayer feature: the creation of personalized basketball avatars for in-game play…. The purported violations of the BIPA are, at best, marginal, and the plaintiffs lack standing to pursue their claims for the alleged bare procedural violations of the BIPA.

At best, the plaintiffs’ allegations are that Take-Two’s storage and dissemination practices have subjected their facial scans to an “enhanced risk of harm” of somehow falling into the “wrong hands,” which is too abstract and speculative to support standing….The plaintiffs attempt to circumvent the speculative and abstract nature of their claims by arguing that the potential risk of harm associated with the face scans could be potentially great because faces are relatively immutable, and, unlike (for example) passwords, cannot be changed. But the hypothetical magnitude of a highly speculative and abstract injury that is not certainly impending does not make the injury any less speculative and abstract.

The plaintiffs argue that the alleged notice and consent violations harmed their “right-to-information” about the underlying biometric transaction, which the plaintiffs contend should be sufficient in-of-itself to confer standing without any allegations of additional harm. The purported right-toinformation about a biometric-facilitated transaction is not a concrete interest separate from the core object of the BIPA to prevent biometric data misuse….Unlike statutes where the provision of information about statutory rights, or matters of public concern, is an end itself, the BIPA’s notice and consent provisions do not create a separate interest in the right-to-information, but instead operate in support of the data protection goal of the statute.

This Court finds that unwanted phone calls cause concrete harm. For consumers with prepaid cell phones or limited-minute plans, unwanted calls cause direct, concrete, monetary injury by depleting limited minutes that the consumer has paid for or by causing the consumer to incur charges for calls. In addition, all robocalls deplete a cell phone’s battery, and the cost of electricity to recharge the phone is also a tangible harm. While certainly small, the cost is real, and the cumulative effect could be consequential.

Of more import, such calls also cause intangible injuries, regardless of whether the consumer has a prepaid cell phone or a plan with a limited number of minutes. The main types of intangible harm that unlawful calls cause are (1) invasion of privacy, (2) intrusion upon and occupation of the capacity of the consumer’s cell phone, and (3) wasting the consumer’s time or causing the risk of personal injury due to interruption and distraction.

* Safari Club Int’l v. Rudolph, 2017 WL 192713 (9th Cir. Jan. 18, 2017). CA’s anti-SLAPP law does not protect posting a recording to YouTube that was possibly illegally created. Interesting quote: “privacy is relative and, depending on the circumstances, one can harbor an objectively reasonable expectation of privacy in a public location.”

* Ars Technica: Now sites can fingerprint you online even when you use multiple browsers

* The Verge: What does the new ISP data-sharing rollback actually change?

* Techdirt: AT&T, Comcast & Verizon Pretend They Didn’t Just Pay Congress To Sell You Out On Privacy

* Washington Post: How Congress dismantled federal Internet privacy rules. If the Internet companies like Facebook and Google really did sell out for fear that the FCC rules would be extended to them, it seems ironic that Rep. Blackburn turned around and introduced legislation that would extend opt-in privacy rules to them. Oops.

* The Guardian: The customer is always wrong: Tesla lets out self-driving car data – when it suits

* AdWeek: These Smart Retail Shelves Tell Brands All About Who Is Looking at Their Products

* Wired: Hundreds of Apps Can Listen for Marketing ‘Beacons’ You Can’t Hear

* Irish Times: Digital age of consent should be 13, says children’s rapporteur

Security

* Dittman v. UPMC, 2017 PA Super 8 (Pa. Superior Ct. Jan. 12, 2017):

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems….

We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.

* Beck v. McDonald, 2017 WL 477781 (4th Cir. Feb. 6, 2017): “The Plaintiffs allege that: (1) 33% of health-related data breaches result in identity theft; (2) the Defendants expend millions of dollars trying to avoid and mitigate those risks; and (3) by offering the Plaintiffs free credit monitoring, the VA effectively conceded that the theft of the laptop and pathology reports constituted a “reasonable risk of harm to those victimized” by the data breaches. These allegations are insufficient to establish a “substantial risk” of harm.”

* Slate: The Same Republicans Who Pushed for Invasive Surveillance Are Complaining About It Now

* The Switch: Yahoo’s data security breaches cost it $350M in sales price. However, “Verizon didn’t seek a bigger discount because its internal investigation showed that only a “minimal” number of Yahoo’s monthly active users abandoned the company after it disclosed the data breaches”

* The Recorder: After Yahoo, Are In-House Counsel Jobs at Risk Over Cybersecurity?